Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

intelmqsetup changes the root directory ownership #2354

Closed
kamil-certat opened this issue Apr 25, 2023 · 1 comment · Fixed by #2355
Closed

intelmqsetup changes the root directory ownership #2354

kamil-certat opened this issue Apr 25, 2023 · 1 comment · Fixed by #2355
Assignees
@kamil-certat
Labels
bug Indicates an unexpected problem or unintended behavior component: core packaging
Milestone
3.1.1

Comments

@kamil-certat
Copy link
Contributor

intelmqsetup tries to fix ownership of related directories:

intelmq/intelmq/bin/intelmqsetup.py

Lines 172 to 176 in 7674949

if ownership:
print('Setting intelmq as owner for it\'s directories.')
for obj in (CONFIG_DIR, DEFAULT_LOGGING_PATH, ROOT_DIR, VAR_RUN_PATH,
VAR_STATE_PATH, FILE_OUTPUT_PATH, Path(STATE_FILE_PATH).parent):
change_owner(obj, owner='intelmq')

However, the ROOT_DIR can be set to /:

intelmq/intelmq/__init__.py

Lines 18 to 20 in 7674949

if path == "lsb":
ROOT_DIR = os.getenv("ROOT_DIR", "/")
CONFIG_DIR = os.path.join(ROOT_DIR, "etc/intelmq/")

This causes intelmqsetup to take over the ownership of the root directory, what could open some security risk as well as break some system actions (e.g. systemd-tmpfiles)
kamil-certat added a commit to kamil-certat/intelmq that referenced this issue Apr 25, 2023
@kamil-certat
FIX: intelmqsetup - never take ownership of /
0e69f75 
The tool intelmqsetup wants to change the owner ROOT_DIR path.
If instructed to install IntelMQ in LSB-style paths, it's set
to the '/' resulting in changing the owner of system root to
intelmq.

This case is rare to happen (requires explixitly set INTELMQ_PATHS_NO_OPT
variable and using PIP package or directly the source code,
as the native package doesn't contain intelmqsetup), but it's
still potentially dangerous and can cause the system degradation
(e.g. prevents systemd-tmpfiles from working correctly).

Fixes: certtools#2354
@kamil-certat kamil-certat mentioned this issue Apr 25, 2023
Merged
@sebix sebix added bug Indicates an unexpected problem or unintended behavior component: core packaging labels May 3, 2023
@sebix sebix added this to the 3.1.1 milestone May 3, 2023
@sebix
Copy link
Member

sebix commented May 3, 2023

It should be noted that path == "lsb" is only true if the user explicitly sets INTELMQ_PATHS_NO_OPT, and only in installations from git/PyPI. Installations from packages are not affected, the affected code is not present there.

gethvi pushed a commit to gethvi/intelmq that referenced this issue Jun 13, 2023
@kamil-certat @gethvi
FIX: intelmqsetup - never take ownership of /
6c756ef 
The tool intelmqsetup wants to change the owner ROOT_DIR path.
If instructed to install IntelMQ in LSB-style paths, it's set
to the '/' resulting in changing the owner of system root to
intelmq.

This case is rare to happen (requires explixitly set INTELMQ_PATHS_NO_OPT
variable and using PIP package or directly the source code,
as the native package doesn't contain intelmqsetup), but it's
still potentially dangerous and can cause the system degradation
(e.g. prevents systemd-tmpfiles from working correctly).

Fixes: certtools#2354
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kamil-certat kamil-certat

Labels
bug Indicates an unexpected problem or unintended behavior component: core packaging
Projects
None yet
Milestone
3.1.1
Development

Successfully merging a pull request may close this issue.

FIX: intelmqsetup - never take ownership of / kamil-certat/intelmq
2 participants
@sebix @kamil-certat